Terraform aws provider v5 fixes for terraform modules (#15159)

fleetdm · Nov 16, 2023 · 7b1ea9c · 7b1ea9c
1 parent 7ae2a65
commit 7b1ea9c
Show file tree

Hide file tree

Showing 10 changed files with 42 additions and 42 deletions.
diff --git a/terraform/README.md b/terraform/README.md
diff --git a/terraform/addons/logging-alb/README.md b/terraform/addons/logging-alb/README.md
@@ -52,14 +52,14 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_athena-s3-bucket"></a> [athena-s3-bucket](#module\_athena-s3-bucket) | terraform-aws-modules/s3-bucket/aws | 3.11.0 |
-| <a name="module_s3_bucket_for_logs"></a> [s3\_bucket\_for\_logs](#module\_s3\_bucket\_for\_logs) | terraform-aws-modules/s3-bucket/aws | 3.11.0 |
+| <a name="module_athena-s3-bucket"></a> [athena-s3-bucket](#module\_athena-s3-bucket) | terraform-aws-modules/s3-bucket/aws | 3.15.1 |
+| <a name="module_s3_bucket_for_logs"></a> [s3\_bucket\_for\_logs](#module\_s3\_bucket\_for\_logs) | terraform-aws-modules/s3-bucket/aws | 3.15.1 |
 
 ## Resources
 

diff --git a/terraform/addons/logging-alb/main.tf b/terraform/addons/logging-alb/main.tf
@@ -126,7 +126,7 @@ resource "aws_kms_alias" "logs_alias" {
 
 module "s3_bucket_for_logs" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.11.0"
+  version = "3.15.1"
 
   bucket = "${var.prefix}-alb-logs"
 
@@ -146,6 +146,9 @@ module "s3_bucket_for_logs" {
   server_side_encryption_configuration = {
     rule = {
       bucket_key_enabled = true
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
     }
   }
   lifecycle_rule = [
@@ -161,7 +164,8 @@ module "s3_bucket_for_logs" {
       ]
       expiration = {
         days                         = var.s3_expiration_days
-        expired_object_delete_marker = true
+        # Always resets to false anyhow showing terraform changes constantly
+        expired_object_delete_marker = false
       }
       noncurrent_version_expiration = {
         newer_noncurrent_versions = var.s3_newer_noncurrent_versions
@@ -180,7 +184,7 @@ resource "aws_athena_database" "logs" {
 module "athena-s3-bucket" {
   count   = var.enable_athena == true ? 1 : 0
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.11.0"
+  version = "3.15.1"
 
   bucket = "${var.prefix}-alb-logs-athena"
 
@@ -218,7 +222,8 @@ module "athena-s3-bucket" {
       ]
       expiration = {
         days                         = var.s3_expiration_days
-        expired_object_delete_marker = true
+        # Always resets to false anyhow showing terraform changes constantly
+        expired_object_delete_marker = false
       }
       noncurrent_version_expiration = {
         newer_noncurrent_versions = var.s3_newer_noncurrent_versions

diff --git a/terraform/addons/logging-destination-firehose/README.md b/terraform/addons/logging-destination-firehose/README.md
@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.49.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 
@@ -19,6 +19,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.firehose-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.firehose-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -29,14 +30,13 @@ No modules.
 | [aws_kinesis_firehose_delivery_stream.osquery_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
 | [aws_s3_bucket.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_lifecycle_configuration.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_public_access_block.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_iam_policy_document.firehose-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.osquery_firehose_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.osquery_results_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.osquery_status_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -46,11 +46,12 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_osquery_results_s3_bucket"></a> [osquery\_results\_s3\_bucket](#input\_osquery\_results\_s3\_bucket) | n/a | `string` | `"fleet-osquery-results-archive"` | no |
-| <a name="input_osquery_status_s3_bucket"></a> [osquery\_status\_s3\_bucket](#input\_osquery\_status\_s3\_bucket) | n/a | `string` | `"fleet-osquery-status-archive"` | no |
+| <a name="input_osquery_results_s3_bucket"></a> [osquery\_results\_s3\_bucket](#input\_osquery\_results\_s3\_bucket) | n/a | <pre>object({<br>    name         = optional(string, "fleet-osquery-results-archive")<br>    expires_days = optional(number, 1)<br>  })</pre> | <pre>{<br>  "expires_days": 1,<br>  "name": "fleet-osquery-results-archive"<br>}</pre> | no |
+| <a name="input_osquery_status_s3_bucket"></a> [osquery\_status\_s3\_bucket](#input\_osquery\_status\_s3\_bucket) | n/a | <pre>object({<br>    name         = optional(string, "fleet-osquery-status-archive")<br>    expires_days = optional(number, 1)<br>  })</pre> | <pre>{<br>  "expires_days": 1,<br>  "name": "fleet-osquery-status-archive"<br>}</pre> | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_fleet-extra-env-variables"></a> [fleet-extra-env-variables](#output\_fleet-extra-env-variables) | n/a |
+| <a name="output_fleet_extra_environment_variables"></a> [fleet\_extra\_environment\_variables](#output\_fleet\_extra\_environment\_variables) | n/a |
+| <a name="output_fleet_extra_iam_policies"></a> [fleet\_extra\_iam\_policies](#output\_fleet\_extra\_iam\_policies) | n/a |
diff --git a/terraform/addons/logging-destination-firehose/main.tf b/terraform/addons/logging-destination-firehose/main.tf
@@ -11,11 +11,6 @@ resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-cus
   bucket = var.osquery_results_s3_bucket.name
 }
 
-resource "aws_s3_bucket_acl" "osquery-results" {
-  bucket = aws_s3_bucket.osquery-results.bucket
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_lifecycle_configuration" "osquery-results" {
   bucket = aws_s3_bucket.osquery-results.bucket
   rule {
@@ -54,11 +49,6 @@ resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-cust
   bucket = var.osquery_status_s3_bucket.name
 }
 
-resource "aws_s3_bucket_acl" "osquery-status" {
-  bucket = aws_s3_bucket.osquery-status.bucket
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_lifecycle_configuration" "osquery-status" {
   bucket = aws_s3_bucket.osquery-status.bucket
   rule {
@@ -158,19 +148,19 @@ data "aws_iam_policy_document" "osquery_firehose_assume_role" {
 
 resource "aws_kinesis_firehose_delivery_stream" "osquery_results" {
   name        = var.osquery_results_s3_bucket.name
-  destination = "s3"
+  destination = "extended_s3"
 
-  s3_configuration {
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose-results.arn
     bucket_arn = aws_s3_bucket.osquery-results.arn
   }
 }
 
 resource "aws_kinesis_firehose_delivery_stream" "osquery_status" {
   name        = var.osquery_status_s3_bucket.name
-  destination = "s3"
+  destination = "extended_s3"
 
-  s3_configuration {
+  extended_s3_configuration {
     role_arn   = aws_iam_role.firehose-status.arn
     bucket_arn = aws_s3_bucket.osquery-status.arn
   }

diff --git a/terraform/byo-vpc/.terraform.lock.hcl b/terraform/byo-vpc/.terraform.lock.hcl